There is a security hole in all the 0.6.x versions of the frox
transparent ftp proxy up to and including version 0.6.6. Version 0.6.7
fixes this vulnerability, and upgrading to this is advised.
Development snapshots are also affected up to and including
frox-20011031.tar.gz. The vulnerability is fixed in
frox-20011031-fixed.tar.gz, and any development snapshots that are
released after this date.
The vulnerability only exists if local caching is enabled
(ie. "CacheModule Local" is set in the config file), and commenting
this out provides a temporary workaround.
URLs:
~~~~
Frox homepage:
http://frox.sourceforge.net/
http://www.hollo.org/frox
Version 0.6.7:
http://frox.sourceforge.net/download/frox-0.6.7.tar.gz
http://www.hollo.org/frox/download/frox-0.6.7.tar.gz
Patch to version 0.6.7:
http://frox.sourceforge.net/download/frox-0.6.6-0.6.7.diff.gz
http://www.hollo.org/frox/download/frox-0.6.6-0.6.7.diff.gz
Fixed development version:
http://frox.sourceforge.net/download/frox-20011031-fixed.tar.gz
http://www.hollo.org/frox/download/frox-20011031-fixed.tar.gz
Vulnerability details:
~~~~~~~~~~~~~~~~~~~~~
There is an error in calculating the necessary size for a buffer into
which cache file header information is written when frox is caching
ftp retrievals. This buffer is written into with sprintf, and may
overflow if a hostile ftp server returns a long string in reply to an
MDTM request when retrieving a file with a long pathname. This could
allow arbitrary code to be executed as the user under which frox is
running (normally not root). There is not currently any known exploit
code for this vulnerability.
An installation is vulnerable if it is running frox versions 0.6.0
through 0.6.6, it has the local caching method selected in the config
file, and clients make an anonymous ftp connection to a hostile ftp
server and attempt to download a file with a long pathname.
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 07:59:48 PST